The goal of this article is to explain the GRX Auto Inherent Risk feature, commonly known as "AIR". For more information about Inherent Risk in general, see the Inherent and Residual Risk Methodology article.
The Auto Inherent Risk (AIR) provides default answers to the 8 Impact Questionnaire questions for all "Unconfirmed" Third Parties in a user's portfolio. These impact questions are used to help calculate the “Inherent Risk” level (Critical, High, Medium, Low, Nominal) a specific TP has to the user based on their relationship. More information about that calculation can be found here.
AIR and the Impact Questionnaire is typically used in the early stages of a TPRM team's workflow to identify the riskiest Third Parties in the portfolio, and as such can help prioritize the team's activities around confirming and/or remediating the risk posed by those Third Parties.
Due to the importance of the insight enabled by this feature, and the upfront nature of prioritizing your third party portfolio, GRX automatically populated the answers to the 8 Impact Questionnaire questions to expedite the tiering process. These answers are auto-populated by crowd-sourcing the thousands of company relationships that already exist in the Exchange, and presenting the most common answer provided by similar Customer companies working with similar Third Party companies. Similar Third Parties are primarily driven based on their Industry classification.
Users are encouraged to review the AIR answer on the Impact Questionnaire and edit or confirm the auto-populated answers by completing the Impact Questionnaire, especially for Critical, High and Medium vendors. Once the Impact Questionnaire is submitted, the Third Party's Inherent Risk will be "Confirmed" and the word "Unconfirmed" will no longer display in the Inherent Risk column of the Third Party Portfolio Table (PMT). Furthermore, the answers to these questions can still be edited at any time, even after they are confirmed, from the Third Party's Vendor Profile Page.
The answers to the 8 Impact Questionnaire questions not only help identify the riskiest Inherent Risk Third Parties, but these answers also allow GRX to further contextualize the analysis of the predictive and self-attested assessments results in the Residual Risk scores and rating as well as in the assessment review. For example, these impact answers are used in conjunction with the Findings to enable the customer to prioritize the identified control findings (e.g. a Third Party may indicate on their questionnaire that they do not encrypt data) on the Risk Navigator table. But if the user evaluating the Third Party does not provide that vendor with any data, then a finding in the Third Party's controls that is associated with "Data", will not be presented as a "Moderate" or "Significant" Maximum Impact because it will have less impact on the respective user reviewing those results.
Each time a user edits any answer to the 8 Impact Questionnaire questions for a Third Party in their portfolio, scoring is re-triggered to provide updated analysis in real time. These Inherent Risk, Residual Risk, and Maximum Impact changes can be viewed on the Risk Profile tab of any Third Party in the Portfolio.
Comments
0 comments
Article is closed for comments.